I have created a data factory with a pipeline moving data from storage account to azure sql.
Company advised me to use a managed private endpoint to create connection with azure sql.
Scenario:
I have a Dev resource group where my storage account, data factory and sql sit and a Sit resource group where Sit resources sit. I have created managed private endpoint in both data factories with same name, but pointing to different sql servers.
sql_mpe: /subscriptions/123456789/resourceGroups/rg-dev/providers/Microsoft.Sql/servers/dev-sql-server
sql_mpe: /subscriptions/123456789/resourceGroups/rg-sit/providers/Microsoft.Sql/servers/sit-sql-server
As you can see managed private endpoint created has the same name but pointing to different sql servers based on the environment.
Now when I publish the dev adf to azure git, it takes the dev managed private endpoint keys as parameters as follows:
-sql_mpe_properties_privateLinkResourceId "/subscriptions/123456789/resourceGroups/rg-sit/providers/Microsoft.Sql/servers/sit-sql-server"
-sql_mpe_properties_groupId "sqlServer"
-sql_mpe_properties_ipAddress {}
-sql_mpe_properties_resourceId "/subscriptions/987654321/resourceGroups/vnet-45645632-UKSouth-567-rg/providers/Microsoft.Network/privateEndpoints/sit-sql-server.sql_mpe"
For some weird reason, in privateLinkResourceId, resource group and subscription are correct but in resourceId, they are weird values. I don't where they come from hence can't comment on it.
Now when I run my release pipeline, I get the following error:
2022-03-14T15:33:41.5334804Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2022-03-14T15:33:41.5366078Z ##[debug]Processed: ##vso[task.issue type=error;]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2022-03-14T15:33:41.5373551Z ##[error]Details:
2022-03-14T15:33:41.5374630Z ##[debug]Processed: ##vso[task.issue type=error;]Details:
2022-03-14T15:33:41.5376732Z ##[error]ManagedPrivateEndpointInvalidPayload: Managed private endpoint 'sql_mpe' is invalid.
Error is very generic, hence I went through the docs to understand it. I found the below reason from azure doc Best practices for CI CD:
If a private endpoint already exists in a factory and you try to
deploy an ARM template that contains a private endpoint with the same
name but with modified properties, the deployment will fail.
So I got to know that if you deploy managed private endpoint with same name but different modifies properties (like my sit endpoint is pointing to sit), it will fail.
So now I know why pipeline is failing.
I have to fix this issue for a successful release.
Below are my possible options that I can go with , but don't know how to ? This is where I require some help/ assistance:
resourceId value needs to be understood and changed for SIT (I mentioned some weird values are getting there, and in template, I am just overriding the 'dev' part to 'sit'. I am not changing the vnet resource group and other values.
Remove managed private endpoint parameters from template before publishing to azure git or remove them before creating a release. If I release them in pipeline, error is caused.
Need some insight and help here.
Related
We are working on creating a custom azure policy with DiNE effect to deploy certain resources based on the tags existence.
Looking at the Built-in policies for tagging, it seems there is a way to determine the tag existence and run deployments using azure policies.
Due to our internal deployments and SDPs, I need to convert the custom policy definition to Bicep and then deploy it.
I have installed Bicep tools/ VS Code and hitting below errors during conversion.
Can you share inputs on how to handle these? Or there any extended production documentation on how to use Scope and resource functions in Biceps as the current product documentation doesn’t have these details?
Issue: Unable to check the subscription tag existence in Bicep azure policy definition file.
[enter image description here] (https://i.stack.imgur.com/MKcGj.jpg)
Policy definitions for tagging resources - Azure Resource Manager | Microsoft Learn
https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb27a0cbd-a167-4dfa-ae64-4337be671140
Tried to escape the subscription function check but it is not working in bicep file.
I am trying to deploy Azure Data Factory from development to Test and Production instances using Azure DevOps. The pipeline steps include:
Copying the Linked Templates to a storage account (Azure PowerShell Task).
Disabling the triggers (Azure PowerShell Task).
ARM Template Deployment (Azure Resource Group Deployment Task).
Enabling the Triggers (Azure PowerShell Task).
I have set the override parameters for Test and Production Tasks.
The deployment to the Test Data Factory completed successfully. However, when I tried deploying it to the Production Data Factory, it failed giving the following error :
There were errors in your deployment. Error code: DeploymentFailed.
2022-11-24T14:20:51.2337688Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2022-11-24T14:20:51.2339819Z ##[debug]Processed: ##vso[task.issue type=error;]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2022-11-24T14:20:51.2340752Z ##[error]Details:
2022-11-24T14:20:51.2341700Z ##[debug]Processed: ##vso[task.issue type=error;]Details:
2022-11-24T14:20:51.2343511Z ##[error]DeploymentFailed: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2022-11-24T14:20:51.2351532Z ##[error]Task failed while creating or updating the template deployment.
2022-11-24T14:20:51.2352528Z ##[debug]Processed: ##vso[task.issue type=error;]Task failed while creating or updating the template deployment.
2022-11-24T14:20:51.2361768Z ##[debug]Processed: ##vso[task.complete result=Failed;]Task failed while creating or updating the template deployment.
I checked the steps for Test and Production tasks, and both seems correct to me. The Resource Group, Data Factory name, template parameters all have been set up.
How do I resolve this, since the error doesn't point to anything specific?
The issue was with my connection to the Shared Integration Runtime for Data Factory.
So, the steps I followed were as follows :
In the Azure Portal, go to your Resource Group -> Activity Log
Here, I found the exact cause of my Data Factory deployment failing.
Access denied. Unable to access shared integration runtime 'integrationRuntimeSelfHosted'. Please check whether this resource has been granted permission by the shared integration runtime.
Then I went to the Data Factory, where I had created the integration runtime and granted access to the new Data Factory which I was trying to deploy.
Go to Azure DevOps -> Deploy the Pipeline again.
Following the above steps helped me resolve my issue.
I am pushing an ADF factory to another environment via a CICD Pipeline and YAML Config file in Azure Devops. I can successfully deploy but one of my linked services becomes a "bad resource" although it works in the master branch when I published it.
Furthermore I cannot delete this in the target data factory nor can I edit it. Getting the bad resource error. I suspect I need to edit something in the ARM file but I don't really understand this error nor can I find much information on similar.
{"stack":"Error: Error: Unable to save [SERVICENAME]. Bad resource\n at Rl.<anonymous> (https://adf.azure.com/app.06b0e174dd8e6fa8.js:1:11274843)\n at Generator.next (<anonymous>)\n at https://adf.azure.com/main.d1fe4ec6f69aa72f.js:1:66326\n at new c
That when I deploy my ADF to a new environment it succeeds with connections intact or at least that I can fix/edit.
EDIT: Even when I recreate the Linked Service I get the same error.
The answer to this is to store all of your connection credentials as secrets in Azure Keyvault then reference that. I am unclear why using the parameters in a linked service do not transfer into the ARM template and this cause it to be a "bad resource" but the Keyvault method translates into ARM correctly and the problem doesn't persist.
I have created a Docker Compose in my pipeline and Azure created the code. The azureSubscription and the azureContainerRegistry connection are very clear.
I tried to replace them with variable from the Library but when the pipeline starts I immediately get an error.
There was a resource authorization issue: "The pipeline is not valid. Job Build: Step DockerCompose1 input azureSubscriptionEndpoint references service connection $(AzureSubscription) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. Job Build: Step DockerCompose2 input azureSubscriptionEndpoint references service connection $(AzureSubscription) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."
Basically, Azure DevOps can't replace the variable with the value for those particular parameters. I don't want to send around those configurations for obviuos reasons.
I saw some old posts where Microsoft said this was an issue in DevOps. Is this issue still there? Is there any way to move those values in the Libray or a variables?
This is still an issue. It have to be an literal or variables defined in YAML. It cannot be variable provied via variable group for instance. Please check these topics:
How to parametrize azureSubscription in azure devops template task
Azure subscription endpoint ID cannot be provided through a variable in build definition YAML file
Azure subscription endpoint ID cannot be provided through a variable in build definition YAML file
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings: